Need help with af_unix audisd plugin
Rinat Gadelshin
rgadelsh at gmail.com
Mon Oct 16 06:45:49 UTC 2023
Steve, thank you so much =)
I suppose you meant `ncat -U --recv-only` due to `nc` doesn't have
`--recv-only` option.
ncat works as expected (shows incoming audit messages).
Regards
Rinat
On 14.10.2023 00:42, Steve Grubb wrote:
> Hello,
>
> On Tuesday, October 10, 2023 11:53:06 AM EDT Rinat Gadelshin wrote:
>> Could I ask your help with the plugin?
> The mail list might get a faster response. I sometimes get busy.
>
>> I try to check it by the following way on my Ubuntu 20.04:
>>
>> - `systemctl stop auditd`
>> - set 'active' parameter to 'yes' (file /etc/audisp/plugins.d/af_unix.conf)
>> - `systecmtl start auditd`
>> - `systemctl status auditd` shows that the service is running.
>> - `auditctl -w /tmp/delme`
>> - `auditctl -l` shows that the rule has been successfully added.
>> - `ls -l /var/run/audispd_events` prints "srwxr-xr-x 1 root root 0 okt
>> 10 18:38 /var/run/audispd_events"
>> - launch `nc -Ul /var/run/audispd_events` in another terminal
>> - `echo 1 > /tmp/delme`
>>
>> Expected result: `nc` has received some audit events for the file.
>> Actual result: `nc` has received nothing.
> nc -U --recv-only /var/run/audispd_events
>
>> Can you tell me what I did wrong?
> See above.
>
> -Steve
>
>
More information about the Linux-audit
mailing list